proxmox

Table of Contents

1. Overview
2. Module Description
3. Setup
   • What Proxmox affects
   • Beginning with Proxmox
4. Usage
   • Hypervisor
   • VM
5. Reference
   • Classes
   • Defined types
   • Parameters
6. Other notes
7. Limitations
8. Development
9. License

Overview

The proxmox module provide a simple way to manage Proxmox hypervisor and OpenVZ network's configuration with Puppet.

Module Description

The proxmox module automates installing Proxmox on Debian systems.

Setup

What Proxmox affects:

• Package/service/configuration files for Proxmox.
• A new sources.list file for Proxmox.
• Proxmox's cluster (master and nodes).
• System repository
• The static table lookup for hostnames hosts.
• Users and group permissions for WebGUI.
• WebGUI's service (pveproxy).
• Kernel modules loaded at the boot time.
• OpenVZ's configuration file.
• OpenVZ's service.
• OpenVZ CT network's configuration.

Beginning with Proxmox

To begin using proxmox module with default parameters, declare the hypervisor's class with include proxmox::hypervisor.

Usage

Hypervisor

include proxmox::hypervisor

Note: The module will NOT automatically reboot the system on the PVE Kernel. You will need to reboot it manually and start again the puppet agent.

KVM only

If you will use only KVM you can have a most recent kernel with:

class { 'proxmox::hypervisor':
  kvm_only => true,
}

Disable additionnal modules

Disable all additionnal modules load at the boot time:

class { 'proxmox::hypervisor':
  pve_modules_list => [ '' ],
}

Create a cluster full KVM (for Ceph)

node "pve_node" {
  # Install an hypervisor full KVM
  class { 'proxmox::hypervisor':
    pveproxy_allow    => '127.0.0.1,192.168.0.0/24',
    kvm_only          => true,
    cluster_master_ip => '192.168.0.201',
    cluster_name      => 'DeepThought',
  }
  # Access to PVE Webgui
  proxmox::hypervisor::group { 'sysadmin': role => "Administrator", users => [ 'marvin@pam', 'arthur@pam' ] }

  # SSH authorized keys between all nodes without passphrase (the module generate a key if not present)
  ssh_authorized_key { 'hyper01':
    ensure  => present,
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDQxnLaBlnujnByt3V7YLZv1+PTjREJ3hphZFdCVNs9ebED55/kEAPmtJzcq2OL7qk8PajvhpB7efuZAatKeCdhILpFBKRrCo/q3MsQUSyaHbrGKs8Kkpz0EBHp1Tgpd8i1+kF1EzVPqT/euNcI6cA3fyMrvdgTI25BwFt93A6bBpf4We7A0l0Ba2nCAs5ekWyKKLh54GO7KBHlMmIzboYpxwgnFcbb9UhuyUz2J6PSC0K+P+hdMXY4dFk/lPMEXLgve/TTPYpgDxgxWMUaobCanwBWcXkZ4MdJw2Qs6TQ0v+cOxX3ogr78w69naGB3joJ4ll31WA+Uo0mcZU3ylFj3',
    type    => 'ssh-rsa',
    user    => 'root',
    options => 'from="192.168.0.201"',
  }
  ssh_authorized_key { 'hyper02':
    ensure  => present,
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCxJeQ1R1rhPoig4jZLA8/Haru3nhVMgvDgO7nIqpwuPkDrheINVHOAd+DyQF0I2MtAjzg9gKfyix/cJ0cWMbd6/FdSVJ39dGYtNG9/YwTBcQiYwT0xS4NgJHzKrYE9PH2HEmjTmzcDeZ/u+IZjhO3Kyy9yZKcOhwV6fD+mzjQb4S2zsy67R/aoySbZjuoZYHrBrfjc66WbPbLtsFXIXuk46N376Y5sX37Bj17HhDEdP/lc9v939SswW1RZ2t1mVAjsMdsyBULDZk5av6Uj//YT1KuZBmBWkp7nPp1yt2ANPPGAnEW3oYjzXJd56Xtf3d0nbHOdHvMmIiV9fZyRUATd',
    type    => 'ssh-rsa',
    user    => 'root',
    options => 'from="192.168.0.202"',
  }

  # Verify the authenticity of each hosts (/etc/ssh/ssh_host_{rsa,ecdsa}_key.pub)
  sshkey { 'hyper01':
    ensure       => present,
    host_aliases => [ 'hyper01.domain.org', '192.168.42.201' ],
    key          => 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ3TC6B3+eVbohjk662FwM/1YUCjMwMT9lmZcNcfllF9Vm082lMXtKix20elUCK9yJDpPWvzFiqdyhgqPAeCNt4=',
    target       => '/root/.ssh/known_hosts',
    type         => 'ecdsa-sha2-nistp256',
  }
   sshkey { 'hyper02':
     ensure       => present,
     host_aliases => [ 'hyper02.domain.org', '192.168.42.202' ],
     key          => 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEqUpnig3DIQVZEr3LxJCVEF/fl4n1s8LNuUUaLRueCW2ygzNBOv2m7O42K/Ok7aa4kjGaXbnneYXMw3wBULJ1U='
     target       => '/root/.ssh/known_hosts',
     type         => 'ecdsa-sha2-nistp256',
   }

  # If you don't have a DNS service, i recommend to have an entry for each nodes in the hosts file
  host { 'hyper01':
    name         => "hyper01.${::domain}",
    ensure       => present,
    ip           => '192.168.42.201',
    host_aliases => 'hyper01',
  }
  host { 'hyper02':
    name         => "hyper02.${::domain}",
    ensure       => present,
    ip           => '192.168.42.202',
    host_aliases => 'hyper02',
  }
}

node /hyper0[12]/ inherits "pve_node" {

}

Will create a Cluster Proxmox with name "Deepthought", the master will be "hyper01". You also can manage all ssh ressources (and host) manually on each nodes.

VM

Only OpenVZ is supported right now but the vm's class will check-it by it self:

include proxmox::vm

proxmox::vm::openvz

Automatically call by the proxmox::vm class, it will manage network configuration, but only few configurations are possible:

• Only one Virtual Ethernet device (aka veth) and it will work with DHCP.
• If a veth is available, it will be the main network's interface (set the default gateway throught eth0).
• If a veth is available, only one Virtual Network device (aka venet) as chance to work (the first one), because all others routes will be flushed.
• If there are only venet: no changes.

Reference

Classes

• proxmox: Main class, do nothing right now.

• proxmox::hypervisor: Install the Proxmox hypervisor on the system.

• proxmox::vm: Manage virtual machines and containers.

Defined types

• proxmox::hypervisor::group: Manage groups for Proxmox WebGUI and set permissions.

proxmox::hypervisor::group { 'sysadmin':
  role  => "Administrator",
  users => [ 'user1@pam', 'toto@pve' ],
}

• proxmox::hypervisor::user: Manage user for Proxmox WebGUI.

proxmox::hypervisor::user { 'marvin':
  group => 'sysadmin',
}

Mainly used by the proxmox::hypervisor::group defined type to create the group, permissions and also create/add the users to a group. Because to add a user to a group via this defined type, the group should already exist.

Parameters

proxmox::hypervisor

• ve_pkg_ensure: What to set the Virtual Environnment package to. Can be 'present', 'absent' or 'version'. Defaults to 'present'.
• ve_pkg_name: The list of VirtualEnvironnment packages. Can be an array [ 'proxmox-ve-2.6.32', 'ksm-control-daemon', 'vzprocps', 'open-iscsi', 'bootlogd', 'pve-firmware' ].
• kvm_only: If set to 'true', Puppet will install a newer kernel compatible only with KVM. Accepts 'true' or 'false'. Defaults to 'false'.
• kernel_kvm_pkg_name: The list of packages to install the newer kernel. Can be an array [ 'pve-kernel-3.10.0-9-pve', '...' ].
• kernel_pkg_name: The list of packages to install a kernel compatible with both KVM and OpenVZ. Can be an array [ 'pve-kernel-2.6.32-39-pve', '...' ].
• rec_pkg_name: The list of recommended and usefull packages for Proxmox. Can be an array [ 'ntp', 'ssh', 'lvm2', 'bridge-utils' ].
• old_pkg_ensure: What to set useless packages (non recommended, previous kernel, ...). Can be 'present' or 'absent'. Defaults to 'absent'.
• old_pkg_name: The list of useless packages. Can be an array [ 'acpid', 'linux-image-amd64', 'linux-base', 'linux-image-3.2.0-4-amd64' ].
• pve_enterprise_repo_ensure: Choose to keep the PVE enterprise repository. Can be 'present' or 'absent'. Defaults to 'absent'.
• pveproxy_default_path: Path of the configuration file read by the PveProxy service. Defaults to '/etc/default/pveproxy'.
• pveproxy_default_content: Template file use to generate the previous configuration file. Default to 'proxmox/hypervisor/pveproxy_default.erb'.
• pveproxy_allow: Can be ip addresses, range or network; separated by a comma (example: '192.168.0.0/24,10.10.0.1-10.10.0.5'). Defaults to '127.0.0.1'.
• pveproxy_deny: Unauthorized IP addresses. Can be 'all' or ip addresses, range or network; separated by a comma. Defaults to 'all'.
• pveproxy_policy: The policy access. Can be 'allow' or 'deny'. Defaults to 'deny'.
• pveproxy_service_name: WebGUI's service name (replace Apache2 since v3.0). Defaults to 'pveproxy'.
• pveproxy_service_manage: If set to 'true', Puppet will manage the WebGUI's service. Can be 'true' or 'false'. Defaults to 'true'.
• pveproxy_service_enabled: If set to 'true', Puppet will ensure the WebGUI's service is running. Can be 'true' or 'false'. Defaults to 'true'.
• pve_modules_list: The list of additionnal modules to load at boot time.
• pve_modules_file_path: The configuration file that will contain the modules list. Defaults to '/etc/modules-load.d/proxmox.conf'.
• pve_modules_file_content: Template file used to generate the previous configuration file. Defaults to 'proxmox/hypervisor/proxmox_modules.conf.erb'.
• vz_config_file_path: Path of the main OpenVZ's configuration file. Defaults to '/etc/vz/vz.conf'.
• vz_config_file_tpl: Template file use to generate the OpenVZ's configuration file. Defaults to 'proxmox/hypervisor/vz.conf.erb'.
• vz_iptables_modules: If set to 'true', OpenVZ will share a list of iptables modules to the containers. Can be 'true' or 'false'. Defaults to 'true'.
• vz_service_name: The OpenVZ's service name. Defaults to 'vz'.
• vz_service_manage: If set to 'true', Puppet will manage the OpenVZ's service. Can be 'true' or 'false'. Defaults to 'true'.
• vz_service_enabled: If set to 'true', Puppet will ensure the OpenVZ's service is running. Can be 'true' or 'false'. Defaults to 'true'.
• labs_firewall_rule: If set to 'true', Puppet will set a iptable rule to allow WebGUI and VNC's port access. Can be 'true' or 'false'. Defaults to 'false'.
• cluster_master_ip: The ip address of the "master" node that will create the cluster. Must be an IP address. Defaults to 'undef'.
• cluster_name: The cluster's name. Defaults to 'undef'.

proxmox::vm

• vm_interfaces_path: The main network configuration's file. Defaults to '/etc/network/interfaces'.
• vm_interfaces_content: Template file used to generate the previous configuration file. Defaults to 'proxmox/vm/openvz_interfaces.erb'.
• vm_interfaces_tail_path: A second network configuration file that will be concatenated in the main. Defaults to '/etc/network/interfaces.tail'.
• vm_interfaces_tail_content: Template file used to generate the previous configuration file. Defaults to 'proxmox/vm/openzv_interfaces.tail.erb'.
• network_service_name: Network's service name. Defaults to 'networking'.
• network_service_manage: If set to 'true', Puppet will manage the network's service. Can be 'true' or 'false'. Defaults to 'true'.
• network_service_enabled: If set to 'true', Puppet will ensure the network's service is running. Can be 'true' or 'false'. Defaults to 'true'.

Other notes

By default proxmox::hypervisor comes with several modules kernel load at boot time. Mainly iptables's modules to allow it in the OpenVZ CT.

The default modules list:

• iptable_filter
• iptable_mangle
• iptable_nat
• ipt_length (=xt_length)
• ipt_limit (=xt_limit)
• ipt_LOG
• ipt_MASQUERADE
• ipt_multiport (=xt_multiport)
• ipt_owner (=xt_owner)
• ipt_recent (=xt_recent)
• ipt_REDIRECT
• ipt_REJECT
• ipt_state (=xt_state)
• ipt_TCPMSS (=xt_TCPMSS)
• ipt_tcpmss (=xt_tcpmss)
• ipt_TOS
• ipt_tos
• ip_conntrack (=nf_conntrack)
• ip_nat_ftp (=nf_nat_ftp)
• xt_iprange
• xt_comment
• ip6table_filter
• ip6table_mangle
• ip6t_REJECT'

See hypervisor usage if you want to disable it or parameters if you want to edit this list.

Limitations

This module will only work on Debian 7.x versions.

Development

Free to send contributions, fork it, ...

License

WTFPL (http://wtfpl.org/)

0.2.3 - 2015/06/01

Features

• New fact is_pve_kernel check if the running kernel is a PVE.

Changes

• Some installation's instructions only run if running a PVE kernel (test the new is_pve_kernel fact).
• Use the stdlib function 'ensure_packages' to install recommended packages instead of 'if ! defined'.
• Upgrade pve-kernel-3.10.0-9-pve and pve-kernel-2.6.32-39 to the last version.
• Correct puppet-lint warnings.

Bugfixes

• #14 The module no longer automatically reboot nodes after kernel upgrade, show a warning message instead.

0.2.2 - 2015/03/25

Features

• A new subclass to automates the creation of a cluster from the master and join from other nodes.

Changes

• Update README.md.
• Upgrade pve-kernel-3.10.0-8-pve and pve-kernel-2.6.32-37 to the last version.
• Puppet-lint
• Add a case for 'kvm' VM doesn't do anything right now, wait for specific (packages, config, …).

Bugfixes

• (#11) Add a new fact to get a valid netmask for OpenVZ's virtual interfaces (venet).
• (#11) Use the new fact vznetmask_venet0_0 to add the route in interfaces.tail file.

0.2.1 - 2015/02/03

Features

• Manage the main OpenVZ's configuration file (/etc/vz/vz.conf).
• Add vz service management.

Changes

• The network management for an OpenVZ CT now works for all Debian family and not only Debian >=7.
• Modification in OpenVZ's configuration file notify the 'vz' service.
• Set an option to manage iptables modules in OpenVZ configuration.
• Correct puppet-lint warnings.

0.2.0 - 2015/01/27

Summary

This release introduce a new subclasse for OpenVZ CT (network management):

include proxmox::vm

It's also provide a array of kernel modules added at the boot start.

Features

• (#2) Add an array and a file to load additionnal modules.
• (#9) Add a puppetlabs-firewall rule.
• (#3) Add a new class and subclass: proxmox::vm::openvz to manage OpenVZ CT.
• (#3) Add a new fact to calculate venet's network with /24 instead of /32.)
• Add many modules (mainly for iptables) to load at startup (sea README.md).

Bugfixes

• Correct module's dependencies.
• Run the proxmox::hypervisor::group only if PVE is installed.

Changes

• README.md: Add examples, a table of contents, information about proxmox::vm::openvz (#3).
• Correct indentation, double quote, ...

0.1.0 - 2015/01/15

This release introduce new defined types:

proxmox::hypervisor::group { 'sysadmin':
  role  => 'Administrator',
  users => [ 'root@pam', 'test@pve' ],
}

proxmox::hypervisor::user { 'toto@pve':
  group => 'sysadmin',
}

And also directly jump to 0.1.0, the module allow to manage a simple Proxmox hypervisor right now.

Changes

• Add a variable to choose to keep PVE enterprise repo for the subscribers.
• (#4) Add an access control list for PveProxy.
• (#4) Add a new class to manage Proxmox's service (proxmox::hypervisor::service).
• (#6) Add a new defined type to manage groups for PVE WebGUI.
• (#7) Add a new defined type to manage users for PVE WebGUI.
• Update the README.md file for (#6) group and (#7) user defined types.
• Add a test for (#6) group and (#7) user defined types.

0.0.2 - 2015/01/08

New functionality release, Proxmox installation now working :)

Changes

• (#1) Possibility to choose between newer kernel that only supports KVM or a ~2.6.32 that supports both KVM and OpenVZ.
• (#1) Install the Virtual Environment and it's works with 2 puppet run.
• Add new test (hypervisor_kvm_only).
• Add a fact to check if Proxmox is "available".
• Add a new class: proxmox::hypervisor::config for some tiny configurations.
• Remove the subscription message in the web gui.
• Add operatingsystem_support information in the metadata.json (to correct the error in Metadata Quality).
• Correct wtfpl into WTFPL to be recognized by SPDX (Metadata Quality).
• Correct indentation, double quote, ...

0.0.1 - 2015/01/07

Initial release.

Changes

• Only prepare the system for Proxmox installation (proxmox::hypervisor::preconfig)